Home
News
Details

Microsoft Discloses Android Vulnerability Exposing 30M Crypto Wallets

iconCoinpedia
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
Microsoft has released vulnerability news regarding an Android SDK flaw that exposed 30 million crypto wallet credentials. The issue, found in April 2025, let malicious apps bypass Android security to steal seed phrases and addresses. A patched SDK version 5.2.1 was issued by Microsoft and Google with EngageLab. Users should update apps, enable Google Play Protect, and avoid untrusted APKs. Those who haven’t updated since mid-2025 are advised to move funds to new wallets. This is a key crypto market update for Android users handling digital assets.
Thorchain hack
Story Highlights

  • Microsoft has published a report on an Android-native vulnerability in a version of the EngageLab SDK that exposed crypto wallet credentials to cybercriminals.

  • The breach bypassed sandbox security systems, allowing it to conduct app surveillance and relay user-sensitive information back to the hackers.

  • The issue has since been addressed, with Microsoft and Google directing Android users on how to check if their wallets have been patched.

Microsoft has published the details of an Android-native security vulnerability that exposed 30 million crypto wallet credentials to malicious actors.

The company’s Defender Security Research Team first identified the issue in April 2025 during a routine security research.

Microsoft details Android flaw affecting crypto wallets

The attack begins with the user installing malicious apps designed to bypass the Android sandbox. The latter is a security system that isolates phone apps, preventing them from “seeing” each other’s data. The app then sends a message to a vulnerable Software Development Kit (SDK), specifically version 4.5.4. An SDK is a fundamental component of every phone application, with most applications requiring several SDKs to run properly.

This corrupts all other apps that receive the message, tricking them into giving up read and write privileges for personal information within them, including crypto wallet seed phrases and addresses. This susceptibility is akin to leaving the windows open in what should be a top-security building.

How to protect your crypto wallet

Known as an “intent redirection,” the attack compromised over 50 million apps, including 30 million crypto wallets.

That said, Microsoft promptly teamed up with Google and the Android Security Team in May 2025. This led EngageLab to release the patched version – SDK 5.2.1.

The team now encourages users to swiftly update their apps and verify them using Google Play Protect. They also encourage downloading apps from the Play Store rather than as APK files from websites, since the former are subject to stricter security checks.

Even more, users who have not made any updates since mid-2025 are encouraged to move any funds they may have in their crypto wallets to new wallets with fresh seed phrases.

Related cybersecurity developments

The report is the latest regarding crypto-related Android flaws, with another involving Android chips flagged early last month.

Nonetheless, there is greater hope for industry security with the recently announced collaboration between the US Treasury and crypto firms to share cybersecurity information.

Today, @USTreasury OCCIP announced a new initiative to strengthen cybersecurity across the digital asset industry.

Eligible U.S. digital asset firms and industry organizations that meet Treasury’s criteria will be able to receive, at no cost, the same actionable cybersecurity…

— Treasury Department (@USTreasury) April 9, 2026
Tags
Crypto news
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.